-
Notifications
You must be signed in to change notification settings - Fork 274
/
CommandOptions.cs
353 lines (268 loc) · 16.1 KB
/
CommandOptions.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.
using CommandLine;
using Microsoft.CST.AttackSurfaceAnalyzer.Objects;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
namespace Microsoft.CST.AttackSurfaceAnalyzer
{
[Verb("collect", HelpText = "Collect operating system metrics")]
public class CollectCommandOptions : CollectorOptions
{
[Option("match-run-id", Required = false, HelpText = "Match the collectors used on another run id")]
public string? MatchedCollectorId { get; set; }
public static CollectCommandOptions FromCollectorOptions(CollectorOptions opts)
{
if (opts == null) throw new ArgumentNullException(nameof(opts));
return new CollectCommandOptions()
{
CrawlArchives = opts.CrawlArchives,
DatabaseFilename = opts.DatabaseFilename,
Debug = opts.Debug,
DownloadCloud = opts.DownloadCloud,
EnableAllCollectors = opts.EnableAllCollectors,
EnableCertificateCollector = opts.EnableCertificateCollector,
EnableComObjectCollector = opts.EnableComObjectCollector,
EnableDriverCollector = opts.EnableDriverCollector,
EnableEventLogCollector = opts.EnableEventLogCollector,
EnableFileSystemCollector = opts.EnableFileSystemCollector,
EnableFirewallCollector = opts.EnableFirewallCollector,
EnableKeyCollector = opts.EnableKeyCollector,
EnableNetworkPortCollector = opts.EnableNetworkPortCollector,
EnableProcessCollector = opts.EnableProcessCollector,
EnableRegistryCollector = opts.EnableRegistryCollector,
EnableServiceCollector = opts.EnableServiceCollector,
EnableTpmCollector = opts.EnableTpmCollector,
EnableUserCollector = opts.EnableUserCollector,
EnableWifiCollector = opts.EnableWifiCollector,
GatherHashes = opts.GatherHashes,
GatherVerboseLogs = opts.GatherVerboseLogs,
GatherWifiPasswords = opts.GatherWifiPasswords,
Overwrite = opts.Overwrite,
Quiet = opts.Quiet,
RunId = opts.RunId,
SelectedDirectories = opts.SelectedDirectories,
SelectedHives = opts.SelectedHives,
SingleThread = opts.SingleThread,
Verbose = opts.Verbose
};
}
}
public class CollectorOptions : CommandOptions
{
[Option("crawl-archives", Required = false, HelpText = "Attempts to crawl every archive file encountered when using File Collector. May dramatically increase run time of the scan.")]
public bool CrawlArchives { get; set; }
[Option(HelpText = "Download files from thin Cloud Folders (like OneDrive) to check them.")]
public bool DownloadCloud { get; set; }
[Option('a', "all", Required = false, HelpText = "Enable all collectors")]
public bool EnableAllCollectors { get; set; }
[Option('c', "certificates", Required = false, HelpText = "Enable the certificate store collector")]
public bool EnableCertificateCollector { get; set; }
[Option('C', "com", Required = false, HelpText = "Enable the COM object collector")]
public bool EnableComObjectCollector { get; set; }
[Option('d', "driver", Required = false, HelpText = "Enable the driver collector")]
public bool EnableDriverCollector { get; set; }
[Option('l', "logs", Required = false, HelpText = "Enable the Log collector")]
public bool EnableEventLogCollector { get; set; }
[Option('f', "file-system", Required = false, HelpText = "Enable the file system collector")]
public bool EnableFileSystemCollector { get; set; }
[Option('F', "firewall", Required = false, HelpText = "Enable the firewall collector")]
public bool EnableFirewallCollector { get; set; }
[Option('k', "keys", Required = false, HelpText = "Gather information about the cryptographic keys on the system.")]
public bool EnableKeyCollector { get; set; }
[Option('p', "network-port", Required = false, HelpText = "Enable the network port collector")]
public bool EnableNetworkPortCollector { get; set; }
[Option('P', "process", Required = false, HelpText = "Enable the process information collector")]
public bool EnableProcessCollector { get; set; }
[Option('r', "registry", Required = false, HelpText = "Enable the registry collector")]
public bool EnableRegistryCollector { get; set; }
[Option('s', "service", Required = false, HelpText = "Enable the service collector")]
public bool EnableServiceCollector { get; set; }
[Option('t', "tpm", Required = false, HelpText = "Gather information about the TPM")]
public bool EnableTpmCollector { get; set; }
[Option('u', "user", Required = false, HelpText = "Enable the user and group account collector")]
public bool EnableUserCollector { get; set; }
[Option('w', "wifi", Required = false, HelpText = "Enable the saved Wifi information collector")]
public bool EnableWifiCollector { get; set; }
[Option('h', "gather-hashes", Required = false, HelpText = "Hashes every file when using the File Collector. May dramatically increase run time of the scan.")]
public bool GatherHashes { get; set; }
[Option(HelpText = "Gather all levels in the Log collector. (Default: Only gather Error and Warning when possible.)")]
public bool GatherVerboseLogs { get; set; }
[Option(HelpText = "Gather passwords when gathering wifi networks.")]
public bool GatherWifiPasswords { get; set; }
[Option(HelpText = "If the specified runid already exists delete all data from that run before proceeding.")]
public bool Overwrite { get; set; }
[Option(HelpText = "Identifies which run this is.")]
public string? RunId { get; set; }
[Option("directories", Required = false, HelpText = "comma separated list of paths to scan with FileSystemCollector", Separator = ',')]
public IEnumerable<string> SelectedDirectories { get; set; } = new List<string>();
[Option("skip-directories", Required = false, HelpText = "comma separated list of paths to skip with FileSystemCollector", Separator = ',')]
public IEnumerable<string> SkipDirectories { get; set; } = new List<string>();
[Option("hives", Required = false, HelpText = "comma separated list of hives and subkeys to search.", Separator = ',')]
public IEnumerable<string> SelectedHives { get; set; } = new List<string>();
[Option(HelpText = "Force singlethreaded collectors.")]
public bool SingleThread { get; set; }
}
public class CommandOptions
{
[Option(Required = false, HelpText = "Name of output database (default: asa.sqlite)", Default = "asa.sqlite")]
public string DatabaseFilename { get; set; } = "asa.sqlite";
[Option(HelpText = "Show debug logging statements.")]
public bool Debug { get; set; }
[Option(HelpText = "Lower memory usage in database. (May reduce performance.)")]
public bool LowMemoryUsage { get; set; }
[Option(Default = false, HelpText = "Decrease logging to Errors")]
public bool Quiet { get; set; }
[Option(HelpText = "Number of Database Shards to use.")]
public int Shards { get; set; } = 7;
[Option(Default = false, HelpText = "Increase logging verbosity")]
public bool Verbose { get; set; }
}
public class CompareCommandOptions : CommandOptions
{
public CompareCommandOptions(string? FirstRunId, string SecondRunId)
{
this.FirstRunId = FirstRunId;
this.SecondRunId = SecondRunId;
}
[Option(HelpText = "Custom analysis rules file.")]
public RuleFile? AnalysesFile { get; set; }
[Option(HelpText = "When analyzing Monitor Objects apply rules that would apply to the base type.")]
public bool ApplySubObjectRulesToMonitor { get; set; }
[Option(HelpText = "Set Disable Analysis.")]
public bool DisableAnalysis { get; set; }
[Option(HelpText = "First run (pre-install) identifier")]
public string? FirstRunId { get; set; }
[Option(HelpText = "Save to internal database for review in GUI")]
public bool SaveToDatabase { get; set; }
[Option(HelpText = "Second run (post-install) identifier")]
public string SecondRunId { get; set; }
[Option(HelpText = "Run Scripts")]
public bool RunScripts { get; set; }
[Option(HelpText = "Force Analysis to be Single-Threaded")]
public bool SingleThreadAnalysis { get; set; }
}
[Verb("config", HelpText = "Configure and query the database")]
public class ConfigCommandOptions : CommandOptions
{
[Option("delete-run", Required = false, HelpText = "Delete a specific run from the database")]
public string? DeleteRunId { get; set; }
[Option("list-runs", Required = false, HelpText = "List runs in the database")]
public bool ListRuns { get; set; }
[Option("reset-database", Required = false, HelpText = "Delete the output database")]
public bool ResetDatabase { get; set; }
[Option("trim-to-latest", HelpText = "Delete all runs except the latest.")]
public bool TrimToLatest { get; set; }
}
[Verb("export-collect", HelpText = "Compare ASA executions and output a .json report")]
public class ExportCollectCommandOptions : ExportOptions
{
[Option(HelpText = "Export single run. (Specify runid with SecondRunId.)")]
public bool ExportSingleRun { get; set; }
[Option(HelpText = "First run (pre-install) identifier")]
public string? FirstRunId { get; set; }
[Option(HelpText = "Second run (post-install) identifier")]
public string SecondRunId { get; set; } = string.Empty;
}
[Verb("export-monitor", HelpText = "Output a .json report for a monitor run")]
public class ExportMonitorCommandOptions : ExportOptions
{
[Option(HelpText = "Apply rules for FileTypes contained in Monitor objects to those objects. (For example, FILE rules against FILE_MONITOR objects internal File object)")]
public bool ApplySubObjectRulesToMonitor { get; set; }
[Option(HelpText = "Monitor run identifier")]
public string? RunId { get; set; }
}
[Verb("export-guided", HelpText = "Output a .json for a guided run")]
public class ExportGuidedCommandOptions : ExportMonitorCommandOptions
{
}
public class ExportOptions : CommandOptions
{
[Option("filename", HelpText = "Custom analysis rules file.")]
public string? AnalysesFile { get; set; }
[Option(HelpText = "Set to Disable Analysis.")]
public bool DisableAnalysis { get; set; }
[Option(HelpText = "Exploded output")]
public bool ExplodedOutput { get; set; }
[Option(HelpText = "Directory to output to")]
public string? OutputPath { get; set; }
[Option(HelpText = "Save to internal database for review in GUI")]
public bool SaveToDatabase { get; set; }
[Option(HelpText = "Enable running Scripts in rules")]
public bool RunScripts { get; set; }
[Option(HelpText = "Output Sarif")]
public bool OutputSarif { get; set; }
[Option(HelpText = "Force Analysis to be Single-Threaded")]
public bool SingleThreadAnalysis { get; set; }
}
[Verb("gui", HelpText = "Launch the GUI in a browser.")]
public class GuiCommandOptions : CommandOptions
{
[Option(HelpText = "Disable launching a browser after gui starts.")]
public bool NoLaunch { get; set; }
}
[Verb("guide", HelpText = "Gather and Analyze metrics using a combination of Collectors and Monitors.")]
public class GuidedModeCommandOptions : CollectorOptions
{
// These are from ExportCollectCommandOptions
[Option(HelpText = "Custom analysis rules file.")]
public string? AnalysesFile { get; set; }
[Option(HelpText = "Apply Rules to SubCollect objects of Monitor objects.")]
public bool ApplySubObjectRulesToMonitor { get; set; }
[Option(HelpText = "Set Disable Analysis.")]
public bool DisableAnalysis { get; set; }
// These are from MonitorCommandOptions
[Option("duration", Required = false, HelpText = "Duration, in minutes, to run for before automatically terminating.")]
public int Duration { get; set; }
[Option('m', "file-system-monitor", Required = false, HelpText = "Enable the file system monitor. Unless -d is specified will monitor the entire file system.")]
public bool EnableFileSystemMonitor { get; set; }
[Option(HelpText = "Put each result type in its own document.")]
public bool ExplodedOutput { get; set; }
[Option(HelpText = "Don't gather extended information when monitoring files.")]
public bool FileNamesOnly { get; set; }
[Option(HelpText = "Comma-separated list of directories to monitor.", Separator = ',')]
public IEnumerable<string> MonitoredDirectories { get; set; } = new List<string>();
[Option(HelpText = "Directory to output to.")]
public string? OutputPath { get; set; }
[Option(HelpText = "Save to internal database for review in GUI")]
public bool SaveToDatabase { get; set; }
[Option(HelpText = "Run Scripts")]
public bool RunScripts { get; set; }
[Option(HelpText = "Export Sarif")]
public bool ExportSarif { get; set; }
[Option(HelpText = "Force Analysis to be Single-Threaded")]
public bool SingleThreadAnalysis { get; set; }
}
[Verb("monitor", HelpText = "Continue running and monitor activity")]
public class MonitorCommandOptions : CommandOptions
{
[Option('D', "duration", Required = false, HelpText = "Duration, in minutes, to run for before automatically terminating.")]
public int Duration { get; set; }
[Option('F', "file-system-monitor", Required = false, HelpText = "Enable the file system monitor. Unless -d is specified will monitor the entire file system.")]
public bool EnableFileSystemMonitor { get; set; }
[Option('a', "File names only", Required = false, HelpText = "Don't gather extended information. Overrides any argument to include additional data.")]
public bool FileNamesOnly { get; set; }
[Option('h', "gather-hashes", Required = false, HelpText = "Gather a hash of each file that is modified or created.")]
public bool GatherHashes { get; set; }
[Option('d', "directories", Required = false, HelpText = "Comma-separated list of directories to monitor.", Separator = ',')]
public IEnumerable<string> MonitoredDirectories { get; set; } = new List<string>();
//[Option('r', "registry", Required = false, HelpText = "Monitor the registry for changes. (Windows Only)")]
//public bool EnableRegistryMonitor { get; set; }
[Option(Default = false, HelpText = "If the specified runid already exists delete all data from that run before proceeding.")]
public bool Overwrite { get; set; }
[Option(HelpText = "Identifies which run this is. Monitor output can be combined with collect output, but doesn't need to be compared.", Default = "Timestamp")]
public string? RunId { get; set; }
[Option(HelpText =
"Specify which NotifyFilters to use for file monitoring, comma separated if provided via cli.", Separator = ',')]
public IEnumerable<NotifyFilters> Filters { get; set; } = Enumerable.Empty<NotifyFilters>();
}
[Verb("verify", HelpText = "Verify your analysis rules")]
public class VerifyOptions : CommandOptions
{
[Option("filename", Required = false, HelpText = "Path to your rule file (leave blank to test the embedded rules)")]
public string? AnalysisFile { get; set; }
[Option(HelpText = "Run Scripts in Rules")]
public bool RunScripts { get; set; }
}
}